According to RFC2616:
The Referer[sic] request-header field allows the client to specify, for the
If you have control on abc, def… try using a more robust method that a simple
Thank you for your concern and pointing this out. I should have
mentioned that I am aware of the limitations of this approach and that
the referrer can be absent or easily faked.
However I do not have control over the GET requests coming in. Basically
we give our users an id=accountX string and only want to provide the
requested content if they embed the link to us within their web site for
which we allow such usage (as deemed from the referrer).
Although they can easily fake the referrer it will not do them much good
to do so because they will want to link to our user’s web site, and
unless they instruct their web site users to take special measures to
hide or forge their referrer (this would not be worth it for them
anyway) then this method should be sufficient
So assuming that its “good enough” for me to rely on matching their
account id to a referrer what would you say is the best way to do what I
was inquiring about in my original message on the subject?
If you use a POST or a GET you should be able to develop a specific Nginx module
to avoid thousands of regex and without need to call your application.
In light of my response above do you still think that is the best way to
go? Basically I’d create a module so that I could do something like add
a “authenticate” directive (something I made up that my module looks
for) to one “location” block, and then enforce all that logic from my
That certainly seems like a more efficient way of doing it since I won’t
have to define thousands of “location” blocks. Although I imagine the
processing speed won’t be much different, as it’ll still have to do
thousands of regex comparisons. Well, then again maybe it wouldn’t - I
could probably take their account id from the query string and use it
for a hash lookup to acess a string of valid referrers and compare
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.